John Deutscher

How Azure Media Services Earned CDSA Security Certification

April 14, 2015

Share this Post

Yesterday, I announced how extremely proud I am that Azure Media Services has recently been awarded certification by a CDSA-appointed external auditor. We are the only media platform in the market that has achieved CDSA certification on our encoding platform services.

The CPS certification provides a standards-based method of assuring our customers – and yours – that the intellectual property rights of media assets stored, encoded, managed, and distributed from within Azure are safe and secure. Further, if you build out your own custom solutions on top of Azure Media Services, you are able to leverage and reference our CPS certification within your own CPS certification efforts.

Today, I’d like to focus on how my team accomplished this, as well as how we plan to continue working to address media industry security concerns for both on-demand and live streaming workflows.

A lot of encoding solutions for the cloud give lip service to security, but not many are actually built from the ground up for the stringent security requirements of the media industry. The entertainment industry has paid close attention to the need for security in the cloud over the past few years – and for good reasons. From the recent hacking attack at Sony Pictures which resulted in the leak of movies like “Fury” and “Annie,” to the most pirated TV show in the history of television –”Game of Thrones” – the need for better security standards in the handling of media content is now the number one requirement (and concern) that we hear from our customers looking to move to a public cloud.

Before I started working in the cloud, I worked in post-production and television for many years (including several years in production at Microsoft Studios). I’m very familiar with security best practices, guidelines and requirements through many years of experience operating and securing on-premises facilities. In the early days, piracy of content often came down to simple things like ensuring the nighttime tape operator, who had access to the vault, could not easily copy content onto a VHS and hand it out to friends. Or preventing someone from setting up a camera at a facility monitor and recording a film.

These days we have put in place physical security of gates, locked rack cages, card key access, surveillance cameras, background checks, and detailed “chain of custody” tracking mechanisms for physical tape/film and digital files. At Microsoft Studios, we worked closely with both physical security systems, as well as digital security systems, that tracked the movement of content throughout the workflow. It takes a lot of work to set up this level of security and manage it. And then there’s the yearly audits for compliance, requiring retention of evidence and proof of complying with the rules.

When our team first began building out Azure Media Services, I wanted to make sure that we would one day be able to submit our software and physical infrastructure to a full security audit and trusted external certification process. We looked very carefully at the workflow for cloud encoding:

1. Upload

2. Storage

3. Movement of assets across virtual machines

4. Reading movies into encoders

5. Storing the output from encoders

6. And most importantly, delivering content to customers

Each step was threat-modeled to determine risk and define architecture for handling of the media, logging access and movement, and encrypting content throughout the workflow.

To help in the effort, my team enlisted several trusted advisors early on. One of these happened to be my old boss and good friend Mark Beauchamp who started building Interactive TV solutions with me back in the early 90s in Microsoft Advanced Technologies. Mark was responsible for building out the physical- and digital-security requirements of Microsoft Production Studios, where the majority of XBOX Live Video Marketplace encoding happens today. The production facility is a large 50,000-square foot traditional post production studio located on the main campus of Microsoft in Redmond, WA. If you were to tour it, you would find all of the typical equipment: from Avid Media Composers, to Apple Final Cut Pro workstations, to high-end audio production suites, and even three full sound stages with NBC Studio 30 Rock style control rooms. Mark has been my go-to expert for all things related to the CDSA security standards and MPAA compliance for digital and physical security.

After evaluating all of the threats and risks with Mark and a pair of external auditors, we mapped all of the known compliance controls from both the CDSA and MPAA against our implementation of Azure Media Services so that we had a clear backlog of work to go after when we were building the service.

Building a Secure Service

With support from Mark, our own security architect Quintin Burns, and numerous meetings with external security advisors, the Microsoft Media Services team focused our architecture on one of the more mature certification programs that was available – the Content Delivery & Security Association (CDSA).

Physical security was already being handled by multiple audits of Azure data centers around the world. Having the confidence that the data centers were being secured by the broader Azure team, we focused on the software stack and on our digital file and encoding workflows. We are luckier than some other companies. Microsoft Azure has its own security compliance team that works across multiple certification processes to handle physical and systems security of the datacenter and to validate the services that each individual team builds.

Recently Michael Glaros also joined the Azure compliance team as Sr. Program Manager for Risk, and has worked closely with our teams to drive the CDSA certification process. Michael previously spent many years at Sony Pictures as their Executive Director of Information Security, and at Deloitte where he delivered on an entertainment security program for multiple studios around the globe.

The CDSA and Content Protection Certification for the Cloud

The CDSA provides industry acclaimed and proven content protection standards. Microsoft has been a member and contributor to the CDSA for several years. I had been familiar with this organization and its respected standards programs for many years through industry events like NAB and several Hollywood conferences. In fact, I initially got in touch with the organization through a work colleague, James Dunkelberger, whom I coincidentally met at an internal Microsoft leadership-training event the year before we built Media Services. Dunkelberger, Senior Director of Product Release and Security Services at Microsoft, recently served as the Chairman of the CDSA until 2014.

The CDSA’s Content Protection & Security (CPS) Standard forms the basis of a Content Security Management System (CSMS) providing guidance and requirements to secure media assets across the workflow. The standard details a set of “controls” designed to ensure the continued integrity of intellectual property, confidentiality, and media asset security, at all stages of the supply chain.

This standard is auditable and once a system is validated through an external (appointed) auditor, the CDSA issues a certificate of compliance with the CPS program. To maintain compliance the certified entity (Azure Media Services) must submit the results of annual audits to the CDSA. This means that each year, our team must re-validate our own CSMS with the CDSA showing that we are compliant with the requirements of the CPS program.

In order to obtain this certification Azure Media Services was required to demonstrate proof of a risk assessment against the CPS standard requirement, as well as a comprehensive “Statement of Applicability” that articulated the breadth and depth of content protection features that Azure Media Services provides to protect content throughout the encoding and delivery workflow.

Azure Media Services is the only cloud media platform in the market that can offer encryption on the fly for both Video-On-Demand and live streaming broadcasts. Azure Media Services provides a number of secure upload channels for content including the Express Route private network connection to Azure, UDP upload via IBM’s Aspera software and secure HTTPS upload over the Internet.

Azure Media Services is the only cloud media platform in the market that can offer encryption on the fly for both Video-On-Demand and live streaming broadcasts.

To achieve initial certification status from the CDSA, we were required to review and adhere to over 300 security controls that manage and secure physical data centers, encryption and key management, storage facilities, and software layers that handle valuable media assets.

Prior to formally requesting certification, our team had already gone through and won approval for ISO/IEC 27001:2013, ISO 27018, FedRAMP, EU Model Clause, SOC1 and SOC2 compliance programs. These are continuous compliance programs where we are required to constantly monitor and renew our compliances at points of time and over periods of up to six months.